JPH08262976A - Device for authenticating individual - Google Patents

Abstract

PURPOSE: To provide a method for authenticating the individual with high safety. CONSTITUTION: A sales company (a) to which authentication application information is transmitted from a user (i) unidirectionally converts the information by associating random number parameters therewith and transmits the information as question information for authentication to the user (i). The user (i) inputs the identification number of his own credit member and a pass word, converts the received question information for authentication by associating the information with the pass word, forms the answer information for authentication and transmits the information together with the identification number of the user (i) to the sales company (a). The sales company (a) forms reference information for authentication by unidirectionally converting the received answer information for authentication so as to cancel the random number parameters and transmits the received identification number and the reference information for authentication to a credit company (b). The credit company (b) retrieves previously stored and transformed secret information with the received identification number as a key and transmits authentication or rejection information to the sales company (a). The sales company (a) transmits the authentication or rejection information transmitted from the credit company (b) to the user (i).

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a personal authentication method, and more specifically, the first and second certificate authorities cooperate with each other to provide information on a person to be authenticated, which is sent from the certificate authority. Regarding how to authenticate.

[0002]

2. Description of the Related Art In recent years, it has become commonplace to make payments for product purchases using credit cards. For credit card payments, it must be confirmed that the card user is the cardholder. This is called identity verification. Below, we describe the method that has been conventionally used to confirm the identity and clarify the problems.

(First Conventional Example) A credit card user signs a purchase slip for identity verification and collates it with the signature of the card holder written on the back of the card. The verification of the signature is usually performed by a human. It is very difficult, if not impossible, to verify signatures by computer. Therefore, this type of identity verification is limited to over-the-counter sales.

(Second Conventional Example) Recently, payment by credit card is used not only for over-the-counter sales but also for purchases by a commodity sales device (such as a vending machine). In this case, since it is technically difficult to confirm the identity of the card holder by the signature of the card user, it is common to confirm the identity of the person using the personal identification number.
That is, as shown in FIG. 23, the user operates the sales device to purchase a product. This vending device is connected to a credit card company by a communication line. When the user installs the credit card in the card reader of the vending machine in order to pay by the credit card, the card reader reads information such as the identification number of the credit card and the name of the user. Then, the vending device prompts the user to input the card number IDi and the card personal identification number registered for the credit card in order to confirm whether the card user is the card owner. On the other hand, when the user inputs the personal identification number, the personal identification number is transmitted to the credit card company via the communication line. The credit card company searches the database using the card number as a key, and retrieves information about the credit card. Then, the personal identification number set when the user registered at the time of joining the credit member is compared with the personal identification number currently sent from the user. As a result of the comparison, the credit card company sends to the vending apparatus information indicating that the card user is the card owner himself if the personal identification numbers match, and information indicating that the card user is not the principal if the personal identification numbers do not match. The sales device that received this information
Decide whether to continue or stop the sales process according to the notified personal authentication information.

In order for the personal identification by the card personal identification number to be established, it is necessary that the card personal identification number is disclosed only to the credit card company and the card owner. In the case of the above sales system, it is necessary for the sales device to be operated under sufficient management such as being installed in a physically protected area. In addition, it is necessary that the personal identification number being input to the vending device and the card personal identification number not be tapped from the communication line between the vending device and the credit card company. In order to realize such a system, it is necessary for the credit card company to judge that the above conditions are satisfied. For this reason, the scope of application of the above system is very limited, such as when the credit card company manages the selling device itself or when the credit card company can trust the administrator of the selling device such as a commuter train ticket. Are limited to selling products.

(Third Conventional Example) On the other hand, recently, mail-order sales in which an individual orders an item by personal computer (personal computer) communication have become widespread. A credit card is often used to pay the fee for mail order using such a network. This is because (1) the user can pay more easily than registered mail or bank transfer, and (2) the sales company can get a payment guarantee when receiving an order. When a credit card is used to pay a fee for mail order, conventionally, only the membership number is presented. However, the cardholder number is likely to be known to a third party by receipt or the like. Therefore, identification is required. The most natural thing to consider is the above-mentioned identification of the person using the card personal identification number. This will be explained below.

A user activates mail order software of a personal computer at home, and this personal computer is connected to a selling device of a mail order company by a telephone line, and this selling device is connected to a credit card company by a communication line. .. In order for the user to make a payment by card, the sales company is notified of the card number. At this time, the vending device of the vending company prompts the user to enter the personal identification number registered for the card in order to confirm whether the card user is the card owner. On the other hand, when the user inputs the personal identification number, the personal identification number is transmitted to the credit card company via the telephone line. The card company searches the database by using the card number as a key and retrieves information about the card. Then, the personal identification number set by the user when joining the credit member is compared with the personal identification number currently sent from the mail-order company.
As a result, if the two match, the card user sends information indicating that the user is the card owner, and if the two do not match, information indicating that the user is not the principal is sent to the selling device of the mail order company. Upon receipt of this information, the selling device determines whether to continue or stop the selling process according to the notified personal authentication information.

Comparing the system of the third conventional example with the second conventional example, the "selling device" in the second conventional example is compared.
Corresponds to a device consisting of "user's personal computer", "telephone line", and "sales device of mail order company". Considering the risk that the personal identification number of the user is known in this device, there is two possibility that this risk is greater than the risk of the second conventional example. The first possibility is the problem of eavesdropping on the telephone line. It is considered that the telephone line connecting ordinary households and mail-order companies can be easily tapped. The second possibility is the physical safety of the vending device. In the second conventional example, it is stated that the vending device needs to be installed in a physically protected area. And
It was stated that access is limited to cases where access from non-related parties as well as access from general users such as vending machines for commuter passes can be strictly managed. On the other hand, in the third conventional example, the selling device of the mail order company is realized as a computer normally installed in the selling company, and it is necessary to oblige the computer to perform the strict access control as described above. However, since it is assumed that such strict physical access control is not actually carried out, as a result, it is difficult for the user's personal identification number to be protected strictly, the credit card company judges. I have to do it.

(Fourth Conventional Example) Therefore, a personal authentication system as shown in FIG. 24 can be considered. In FIG. 24,
Consumers and credit card companies have a card number ID
i and password pw are shared, and some function f
To share. The function f has a property that f (x) can be easily calculated from x, but the value of x cannot be easily estimated from the value of f (x). Below, a function having such a property is called a one-way function. Hereinafter, f (pw) is referred to as a converted password for the password pw.
When the sales device of the sales company prompts the user to input the personal identification information, the user inputs the password pw into the personal computer, and the personal computer calculates the conversion password f (pw) from the password pw. Then, the personal computer, along with the card number IDi, converts the conversion password f (p
w) is sent to the mail order company. The mail-order company transfers the card number IDi and the conversion password f (pw) to the credit card company. The credit card company that receives this receives f for the password PW stored in the database corresponding to the card number.
Calculate (PW) and compare with the converted password f (pw) sent as above. If the results match, the user is authenticated as the cardholder himself, and if they do not match, it is determined that the user is not the cardholder. Then, the information to that effect is notified to the mail-order company.

In the personal authentication system of the fourth conventional example, the password pw does not flow on the telephone line as it is, and the processing is performed by the selling device of the mail order company which is not necessarily secure. Therefore, the safety is higher than that of the above-mentioned third conventional example. However, the converted password f (pw) flowing over the telephone line always has the same value, and an illegal person who eavesdrops on the telephone line sends the card number IDi and f to the mail order company.
If you send (pw), this information will be determined by the credit card company to be the correct pair, and the fraudster will be considered the correct cardholder. Then, the fraudulent person becomes the original owner of the card and succeeds in fraudulent purchase of goods and payment of the card.

(Fifth Conventional Example) Therefore, as a personal authentication system in which the information flowing through the communication line changes every time, the system shown in FIG. 25 can be considered. In FIG. 25, the user and the credit card company share the card number and the password pw corresponding thereto in advance. Credit card companies store sets of card numbers of many users and their corresponding passwords in a database. further,
The user and the credit card company share a certain two-input one-output function g. The function g has a property that the value of x cannot be estimated even if the values of g (x, y) and y are known. When the sales device of the sales company generates a random number r and prompts the user to input the random number to input the information for identification, the user inputs the card number IDi and the password pw into the personal computer, and the personal computer Calculates the converted password g (r, pw) from pw. Then, the personal computer displays the card number IDi and the conversion password g (r,
pw) is sent to the mail order company. The mail-order company uses the card number IDi and the conversion password g (r, p
w) and the random number r are transferred to the credit card company.
The credit card company receiving this calculates g (r, PW) for the password PW stored in the database corresponding to the card number, and the converted password g (sent as described above r, pw). If the results match, the user is authenticated as the cardholder himself, and if they do not match, it is determined that the user is not the cardholder himself. Then, the credit company notifies the mail order company of the information to that effect.

[0012]

However, in the case of the personal authentication system in the fifth conventional example, it is necessary for the credit card company to calculate g (r, PW). In the personal authentication system in the physically protected vending device shown in the second conventional example, the credit card company only needs to refer to the database for information processing, whereas this is great for the credit card company. There is a problem that it imposes a burden on information processing. Also,
This also has the drawback of making major changes to the online systems of credit card companies.

Therefore, an object of the present invention is to provide a personal authentication method capable of highly secure authentication while reducing the burden on the first certificate authority (for example, a credit company) and system changes. .

[0014]

According to a first aspect of the present invention,
The first certification authority is directed to a method in which the first and second certification authorities cooperate to certify the information about the certification subject sent from the certification authority. And the converted secret information, which is the result of the first one-way conversion of the secret information corresponding to the identification information, are stored in the database in advance. When authentication is desired, a first variable parameter is generated, and a second one-way conversion is performed on the first variable parameter to generate authentication application information depending on the first variable parameter. And sends it to the second certificate authority, and when the second certificate authority receives the certificate application information, generates a second variable parameter, and with respect to the second variable parameter and the received certificate application information, By applying the third one-way conversion, the first And the authentication question information dependent on the second variable parameter and transmitted to the authenticated station, and the authenticated station sends the received authentication question information, the first variable parameter, and the authenticated person to be authenticated. By performing the fourth one-way conversion on the unique secret information, the response information for authentication that does not depend on the first variable parameter is generated, and the identification information of the authenticated person is transmitted to the second certificate authority. Send and second
The certificate authority of 5 performs the fifth one-way conversion on the received response information for authentication and the second variable parameter to generate and receive the inquiry information for authentication that does not depend on the second variable parameter. The identification information of the person to be authenticated is transmitted to the first certificate authority, and the first certificate authority searches the database for the conversion secret information corresponding to the received identification information, and the authentication the received conversion secret information is received. Check whether it matches the query information, and if it matches, it means that the authenticated person is a legitimate authenticated person, and if it does not match, it means that the authenticated person is not authenticated as an authorized authenticated person. The authentication information is transmitted to the second certificate authority, and the second certificate authority authenticates the person to be authenticated by the received authentication information.

A second aspect of the present invention is directed to a method in which the first and second certification authorities cooperate to certify information about a person to be certified sent from the certification authority, and The certificate authority of No. 1 stores in advance in the database a set of the identification information of the person to be authenticated and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information. The second certificate authority generates a first variable parameter when a certificate application is made by the certificate authority and performs a second one-way conversion on the first variable parameter. , Generating authentication question information dependent on the first variable parameter and transmitting the authentication question information to the authenticated station. When the authenticated station receives the authentication question information, the authenticated station generates a second variable parameter, 2 variable parameters, authentication question information and should be certified By performing the third one-way conversion on the secret information unique to the authenticator, the secret information, the first authentication response information that depends on the first and second variable parameters, and the second variable parameter And second response information for authentication depending on, and with the identification information of the person to be authenticated,
By transmitting to the second certificate authority, the second certificate authority performs a fourth one-way conversion on the first variable parameter and the received first and second authentication response information, Authentication inquiring information that does not depend on the first and second variable parameters is generated and transmitted to the first certificate authority together with the received identification information of the person to be authenticated, and the first certificate authority receives the person to be authenticated. The converted secret information corresponding to the identification information of the is searched from the database, and it is checked whether the searched converted secret information matches the received inquiry reference information for authentication. If it does not match, it sends authorization information indicating that it is not a legitimate subject to be authenticated to the second certification authority, and the second certification authority authenticates the subject by the received authorization information. It is characterized by

A third aspect of the present invention is directed to a method in which the first and second certificate authorities cooperate to authenticate information about a person to be authenticated, which is sent from the certificate authority. The certificate authority of No. 1 stores in advance in the database a set of the identification information of the person to be authenticated and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information. Therefore, the second certificate authority generates a variable parameter when a certificate application is made by the certificate subject, and performs a second one-way conversion on the variable parameter to depend on the variable parameter. The generated authentication question information is generated and transmitted to the authenticated station, and the authenticated station performs the third one-way conversion on the received authentication question information and secret information unique to the authenticated person to be authenticated. By generating the response information for authentication, The identification information of the authenticator is transmitted to the second certificate authority, and the second certificate authority performs the fourth one-way conversion on the variable parameter and the received response information for authentication to obtain the variable parameter. Generates independent inquiry information for authentication, along with the received identification information of the authenticated person,
Then, the first certificate authority searches the database for the conversion secret information corresponding to the received identification information of the person to be authenticated, and the retrieved conversion secret information and the authentication reference information for authentication are received. It is checked whether or not they match, and if they match, authentication information indicating that the person to be authenticated is a legitimate person to be authenticated, and if they do not match, authentication information indicating that the person is not a legitimate person to be authenticated is sent to the second certificate authority. The second certificate authority authenticates the person to be authenticated by the received approval / disapproval information.

A fourth aspect of the present invention is directed to a method in which first and second certification authorities cooperate to certify information about a person to be certified sent from the certification authority, and The certification authority of No. 1 stores in advance in the database a set of the identification information of the person to be authenticated and the converted secret information which is the result of the first one-way conversion of the secret information corresponding to the identification information. Therefore, when the subject person wants to authenticate,
By generating a first variable parameter and subjecting the first variable parameter and public information about the second certificate authority to a second one-way conversion, the first variable parameter and the public information When the certificate application receives the certificate application information, the second certificate authority receives the certificate application information and the secret information unique to itself, and sends the certificate application information to the second certificate authority. By performing the one-way conversion of 3, the first shared key information that does not depend on the public information is generated,
Authentication that depends on the first and second variable parameters by generating a second variable parameter and performing a fourth one-way conversion on the second variable parameter and the first shared key information. Generating the inquiry question information and transmitting the inquiry question information to the authenticated station, and the authenticated station receives the authentication question information, the first variable parameter, and the secret information unique to the authenticated person to be authenticated, from the fifth information. By applying unidirectional conversion,
The authentication response information that does not depend on the first variable parameter is generated, and the second shared key information is generated by performing the sixth one-way conversion on the first variable parameter. The identification information is encrypted with the second shared key information and transmitted to the second certificate authority together with the authentication response information, and the second certificate authority receives the encrypted object encrypted with the received second shared key information. Depends on the second variable parameter by decrypting the identification information of the authenticator with the first shared key information and performing the seventh one-way conversion on the received authentication response information and the second variable parameter. No authentication reference information is generated, and the authentication reference information is transmitted to the first certificate authority together with the decrypted identification information of the person to be authenticated, and the first certificate authority converts the converted secret corresponding to the received identification information. The information is retrieved from the database and the converted secret information retrieved Check whether it matches the authentication inquiry information received, and if they match, the subject is a legitimate subject, and if they do not, the subject is a legitimate subject. It is characterized in that the authentication information indicating that the authentication is not performed is transmitted to the second certificate authority, and the second certificate authority authenticates the person to be authenticated by the received authentication information.

A fifth aspect of the present invention is directed to a method in which the first and second certification authorities cooperate to certify information on a person to be certified sent from the certification authority, and The certificate authority of No. 1 stores in advance in the database a set of the identification information of the person to be authenticated and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information. Therefore, when the subject person wants to authenticate,
By generating a first variable parameter and subjecting the first variable parameter and public information about the second certificate authority to a second one-way conversion, the first variable parameter and the public information When the certificate application receives the certificate application information, the second certificate authority receives the certificate application information and the secret information unique to itself, and sends the certificate application information to the second certificate authority. By performing the one-way conversion of 3, the first shared key information that does not depend on the public information is generated,
Authentication that depends on the first and second variable parameters by generating a second variable parameter and performing a fourth one-way conversion on the second variable parameter and the first shared key information. Generating the inquiry question information and transmitting the inquiry question information to the authenticated station, and the authenticated station receives the authentication question information, the first variable parameter, and the secret information unique to the authenticated person to be authenticated, from the fifth information. By applying unidirectional conversion,
The authentication response information that does not depend on the first variable parameter is generated, and the second shared key information is generated by performing the sixth one-way conversion on the first variable parameter. 2 is encrypted with the shared key information and is sent to the second certificate authority together with the authentication response information and the identification information of the person to be authenticated, and the second certificate authority is encrypted with the received second shared key information. Depends on the second variable parameter by decrypting the given predetermined information with the first shared key information, and subjecting the received authentication response information and the second variable parameter to the seventh one-way conversion. No authentication inquiry information is generated, and the authentication inquiry information is sent to the first certificate authority together with the identification information of the authenticated person who has received the authentication inquiry information. Retrieve information from the database,
It is checked whether the converted secret information that is retrieved matches the received authentication inquiry information. If they match, it means that the subject is a legitimate subject, and if they do not match, the subject is legitimate. It is characterized in that authorization information indicating that the person to be authenticated is not authenticated is transmitted to the second certificate authority, and the second certificate authority authenticates the person to be authenticated by the received authorization information.

A sixth aspect of the present invention is a method in which the first and second certification authorities cooperate to certify information about a person to be certified sent from the certification authority. The certificate authority stores in advance in the database a set of the identification information of the person to be authenticated and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information. , The second certificate authority generates a first variable parameter when a certificate application is made by the certificate authority and performs a second one-way conversion on the first variable parameter, The authentication question information that depends on the first variable parameter is generated and transmitted to the authenticated station, and when the authenticated station receives the authentication question information, the authenticated station generates the second variable parameter and sends the second variable parameter. Variable parameters, authentication question information, and subject to be authenticated By performing the third one-way conversion on the unique secret information, the first authentication response information that depends on the secret information and the first and second variable parameters is generated, and the second variable parameter is generated. And a second one-way conversion is performed on the public information about the second certificate authority to generate second authentication response information that depends on the second variable parameter and the public information. The first shared key information is generated by performing the fifth one-way conversion on the second variable parameter, the identification information of the authenticated person is encrypted with the first shared key information, and A second one is transmitted to the second certificate authority together with the second response information for authentication, and the second certificate authority receives the second response information for authentication and the secret information unique to the own station in the sixth one direction. A second shared key that does not depend on public information by performing sex conversion Generates a broadcast, the first identification information of the person to be authenticated the shared encrypted with key information decrypted in the second shared key information received, the second
Authentication information that does not depend on the first and second variable parameters by performing a seventh one-way conversion on the shared key information, the first variable parameter, and the received first authentication response information. Is generated and transmitted to the first certification authority together with the identification information of the authenticated person who has decrypted the authentication inquiry information,
The first certificate authority searches the database for the converted secret information corresponding to the received identification information of the authenticated person, checks whether or not the searched converted secret information matches the received authentication inquiry information, and matches If it does, the authenticatee is a regular authenticatee, and if they do not match, the authorization information indicating that the authenticatee is not a regular authenticatee is transmitted to the second certificate authority. The authentication subject is authenticated by the received approval / disapproval information.

A seventh aspect of the present invention is directed to a method in which the first and second certification authorities cooperate to certify the information about the person to be certified sent from the certification authority. The certificate authority of No. 1 stores in advance in the database a set of the identification information of the person to be authenticated and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information. Therefore, the second certificate authority generates the first variable parameter when there is a certificate application from the certificate authority and performs the second one-way conversion on the first variable parameter. , The authentication question information depending on the first variable parameter is generated and transmitted to the authenticated station, and the authenticated station generates the second variable parameter when the authentication question information is received, 2 variable parameters, authentication question information and should be certified By performing the third one-way conversion on the secret information unique to the authenticator, the first authentication response information depending on the secret information and the first and second variable parameters is generated, and the second authentication response information is generated. By performing a fourth one-way conversion on the variable parameter and the public information about the second certificate authority, second authentication response information dependent on the second variable parameter and the public information is generated. Then, the first shared key information is generated by performing the fifth one-way conversion on the second variable parameter, and the predetermined information is encrypted with the first shared key information, and The second authentication response information and the identification information of the person to be authenticated are transmitted to the second certificate authority, and the second certificate authority receives the received second authentication response information and secret information unique to itself. On the other hand, by performing the sixth one-way conversion, The first does not depend on the 2
Shared secret information is generated, predetermined information encrypted with the received first secret secret information is decrypted with the second secret secret information, and the second secret secret information and the first variable parameter are generated. By subjecting the received first authentication response information to the seventh one-way conversion, authentication inquiry information that does not depend on the first and second variable parameters is generated, and the authentication inquiry information is received. Together with the identification information of the authenticated subject, which is transmitted to the first certificate authority, the first certificate authority searches the database for the conversion secret information corresponding to the received identification information of the authentication target, and the retrieved conversion secret. Examine whether the information matches the received authentication inquiry information, and if the information matches, the authenticated person indicates that the authenticated person is a legitimate authenticated person. Send the information to the second certificate authority , Wherein the authenticating the person to be authenticated by the disapproval information received.

As described above, in the first to seventh aspects of the present invention, the authentication response information including the confidential information of the authenticated person is sent from the authenticated station to the second authentication station. Since the authentication response information has been unidirectionally converted, the second certificate authority cannot know the confidential information of the person to be authenticated from the authentication response information. In addition, the first certificate authority only searches the database without performing any calculation, and transmits approval / denial information indicating approval / disapproval of the authentication result to the second certificate authority. Second
The certification authority certifies the person to be authenticated based on the approval / denial information sent from the first certification authority. Communication information exchanged between the authenticated station and the second certificate authority and communication exchanged between the first certificate authority and the second certificate authority are unidirectionally converted. Therefore, there is no possibility that information will be leaked even if it is eavesdropped.

Further, in the fourth and sixth aspects, since the identification information of the authenticated person sent from the authenticated station to the second authentication station is encrypted and sent, the identified information is known to the third party. There is no fear. Moreover, since the key information used for this encryption changes dynamically according to the first variable parameter generated in the authenticated station, there is no risk of the key being decrypted and the identification information leaking. In addition to the identification information of the person to be authenticated, other information (for example, product order information) may be encrypted and transmitted. Further, as in the fifth and seventh aspects, the identification information of the person to be authenticated may not be encrypted, but other information accompanying it may be encrypted and transmitted. What information is encrypted and transmitted may be determined according to the application of the system to which the present invention is applied.

In the above first to seventh aspects, random number parameters can be used as the first and second variable parameters. In this case, since the first and second variable parameters change irregularly every time, the confidentiality of data is further improved. If the confidentiality of data is not so required, a parameter that changes regularly may be used.

In the first to seventh aspects, the secret information corresponding to the identification information of the person to be authenticated is a positive integer si, p is a prime number, and g is an integer value satisfying the inequality 1 <g <p. In this case, the remainder value obtained by dividing g ^si by the prime number p may be used as the conversion secret information. Furthermore, when h is a hash function, the remainder value obtained by dividing ^{gh (si)} by the prime number p may be used as the conversion secret information. The use of a hash function is particularly effective when the number of digits of the secret information si is small. It is effective to improve the confidentiality of data that the integer value g is changed for each authenticated person. Similarly, changing the hash function h for each authenticated person is effective in improving the confidentiality of data.

[0025]

BEST MODE FOR CARRYING OUT THE INVENTION

(1) First Embodiment FIG. 1 is a block diagram showing the configuration of a personal authentication system according to the first embodiment of the present invention. The personal authentication system according to the first embodiment is composed of a plurality of users i, a sales company a, and a credit company b. Also, in the personal authentication system of the first embodiment, is the credit company b requested by the sales company a to be a legitimate user when paying the price in the mail order system via the network with a credit card? Please authenticate and inform.

In FIG. 1, a user i is provided with an authentication application device 10 composed of a computer or the like.
The sales company a is provided with an authentication relay device 20 composed of a computer or the like. Credit company b
User authentication device 30 composed of a computer or the like
Is provided. The user i is connected to the sales company a by personal computer communication and bidirectionally exchanges information. The sales company a is connected to the user i and the credit company b by personal computer communication, and exchanges information bidirectionally. The credit company b is connected to the sales company a by personal computer communication, and exchanges information bidirectionally.

FIG. 2 is a block diagram showing an example of the configuration of the authentication application device 10 provided for the user i shown in FIG. In FIG. 2, the authentication application device 10 includes a control unit 1
01, ROM 102, RAM 103, input operation device 104, display device 105, random number generator 106, and communication unit 107.

Program data is stored in the ROM 102, and the control unit 101 operates according to this program data. The RAM 103 stores various data necessary for the operation of the control unit 101. The input operation device 104 includes a keyboard and a mouse operated by a user,
Various data and instructions are input to the control unit 101. The display device 105 includes a CRT display or a liquid crystal display device, and displays the image data given from the control unit 101. The random number generator 106 generates a random number required for authentication application. The communication unit 107 is connected to the sales company a by personal computer communication, and transmits and receives various data.

FIG. 3 is a block diagram showing an example of the configuration of the authentication relay device 20 provided in the sales company a shown in FIG. In FIG. 3, the authentication relay device 20 includes a control unit 2
01, ROM 202, RAM 203, random number generator 204, secret key storage unit 205, and communication unit 206.

Program data is stored in the ROM 202, and the control unit 201 operates according to this program data. The RAM 203 stores various data necessary for the operation of the control unit 201. The random number generator 204 generates a random number necessary for generating authentication question information. The private key storage unit 205 is configured to store a private key necessary for performing cryptographic communication with the credit company b and cannot be read from the outside. The communication unit 206 is connected to each user and the credit company b by personal computer communication, and transmits and receives various data.

FIG. 4 is a block diagram showing an example of the configuration of the user authentication device 30 provided in the credit company b shown in FIG. In FIG. 4, this user authentication device 30
Is a control unit 301, a ROM 302, and a RAM 303
A personal data storage unit 304 and a private key storage unit 305
And a communication unit 306.

Program data is stored in the ROM 302, and the control unit 301 operates according to this program data. The RAM 303 stores various data necessary for the operation of the control unit 301. Individual data storage unit 30
4 stores the identification number of each user and the conversion secret information,
It is configured so that it cannot be read from the outside. The private key storage unit 305 is configured to store a private key necessary for performing cryptographic communication with the sales company a and cannot be read from the outside. The communication unit 306 is a sales company a,
It is connected by PC communication and sends and receives various data.

FIG. 5 is a sequence chart showing the operation of the entire personal authentication system of the first embodiment shown in FIG. FIG. 6 is a flowchart showing the operation of the authentication application device 10 of FIG. 1 when applying for authentication. This operation corresponds to (1) in FIG. FIG. 7 is a flowchart showing the operation of the authentication relay device 20 of FIG. 1 when generating the authentication question information. This operation corresponds to (3) in FIG. FIG. 8 is a flowchart showing the operation of the authentication application device 10 of FIG. 1 when generating authentication response information. This operation is (5) in FIG.
Corresponding to. FIG. 9 is a flowchart showing the operation of the authentication relay device 20 of FIG. 1 when generating the authentication inquiry information. This operation corresponds to (7) in FIG. FIG. 10 is a flowchart showing the operation of the user authentication device 30 of FIG. 1 at the time of user authentication verification. This operation corresponds to (9) in FIG. Hereinafter, with reference to these FIG. 5 to FIG.
The operation of this embodiment will be described.

In this system, user authentication is performed by a calculation in a finite field modulo a large prime number p of about 512 bits. p is predetermined by the system and is given to each user i, sales company a, and credit company b. Further, an integer g that satisfies the inequality 1 <g <p is commonly used and is given to each user i and the credit company b. Further, the function h is calculated from any non-negative integer x such that 0 <
An integer value that satisfies h (x) <p-1 is generated, and the function is such that it is difficult to estimate x from h (x). Function h
Are given to each user i and credit company b.
Note that such a function h is called a hash function, and its existence and feasibility are described in "Introduction to Cryptographic Theory" by Eiji Okamoto.
(Kyoritsu Shuppan).

Each user is given an identification number IDi when he / she registers as a member of the credit company b. Also, at that time, a non-negative integer s that is my password
Notify i to credit company b. Credit company b
Uses the password si and the function h to calculate the conversion secret information {gh ^(si) mod p} in advance, and stores it in the individual data storage unit 304 in combination with the identification number IDi and the password si. deep. However, α mod β indicates the remainder when α is divided by β. Also, the sales company a
The credit company b shares the secret key k in advance and is stored in the secret key storage unit 205 and the secret key storage unit 305, respectively. Further, the selling company a and the credit company b hold a secret key encryption algorithm E and a secret key decryption algorithm D.

When the user i directly applies to the credit company b for authentication, his / her identification number IDi and password si are presented to the credit company. Credit company b
Searches the personalized data storage unit 304 from the presented IDi, and authenticates the user when the stored password is equal to the presented value, and does not authenticate the user when not equal.

Next, the procedure when the sales company b authenticates the user i will be described. All the following processes shall be performed in real time.

In the mail-order sales system via the network, when the user i purchases the product of the sales company a and pays the price with a credit card, the sales company a asks whether the user i is an authorized user. Authenticate with the help of a credit company. That is, the user i instructs the authentication application device 10 to apply for user authentication (step S101 in FIG. 6). On the other hand, the control unit 101 of the authentication application device 10 generates the random number parameter x using the random number generator 106 (step S102).
At this time, the random number parameter x is an integer that satisfies the condition of 0 <x <p-1 gcd (x, p-1) = 1. However, gcd (α, β)
Indicates the greatest common divisor of α and β. Next, the control unit 1
01 uses the random number parameter x to authenticate application information A
pp is calculated by App = g ^x mod p, and the random number parameter x is stored in the RAM 103 (step S103). Next, the control unit 101 informs the sales company a via the communication unit 107 by personal computer communication that the user authentication is desired and transmits the authentication application information App (step S104).

In the sales company a, the control unit 201 controls the authentication application information Ap received from the user i via the communication unit 206.
p is stored in the RAM 203 (step S20 in FIG. 7).
1). Next, the control unit 201 uses the random number generator 204 to generate a random number parameter r (step S20).
2). At this time, the random number parameter r is an integer that satisfies the condition of 0 <r <p-1 gcd (r, p-1) = 1. Next, the control unit 201 controls the R
The authentication application information App is retrieved from the AM 203, the authentication question information Cha is calculated using this random number parameter r as Cha = App ^r mod p = g ^xr mod p, and the random number parameter r is stored in the RAM 203 (step S203). . Next, the control unit 201 transmits the authentication question information Cha by personal computer communication to the user i via the communication unit 206 (step S204).

For the user i, the control unit 101 uses the communication unit 1
Authentication question information C received from sales company a via 07
ha is stored in the RAM 103 (step S3 in FIG. 8).
01). Next, the user i inputs his / her credit member identification number IDi and password si (step S302). Next, the control unit 101 reads the random number parameter x stored in the RAM 103 and calculates an integer y satisfying the condition of xy mod p-1 = 1 0 <y <p-1 (step S30).
3). At this time, since gcd (x, p-1) = 1, such y always exists. Regarding the algorithm for obtaining such y, Shinichi Ikeno,
It is described in detail in “Current Cryptography” by Kenji Koyama (IEICE).

Next, the control unit 101 substitutes the input password si into the hash function h to obtain the hash value h (s
i) is calculated (step S304). Then, the control unit 101 extracts the authentication question information Cha from RAM 103, the authentication response information Resp against Cha, calculated by ^{Resp = Cha yh (si) mod} p = g xryh (si) mod p ( Step S305) . At this time, 0 <a <
For any integer a that satisfies p, a ^p-1 mod p = 1 holds. This is described in detail in "Current Cryptography" by Shinichi Ikeno and Kenji Koyama (IEICE). Further, from xy mod p-1 = 1, it is expressed as xy = n (p-1) +1 (n is an integer). Therefore, Resp = g ^{xryh (si)} mod p = (g ^xy ) ^{rh (si)} mod p = [g ^{{n (p-1) +1}} ] ^{rh (si)} mod p = [{g ^{(p-1 )} } ^N × g] ^{rh (si)} mod p = (1 ⁿ × g) ^{rh (si)} mod p = g ^{rh (si)} mod p. Then, the control unit 101 performs personal computer communication with the sales company a via the communication unit 107 to identify the identification number I of the user i.
Di and the authentication response information Resp are transmitted (step S306).

In the sales company a, the control unit 201 stores the identification number IDi and the authentication response information Resp received from the user i via the communication unit 206 in the RAM 203 (step S401 in FIG. 9). Next, the control unit 201
The random number parameter r stored in the RAM 203 is read, and an integer s that satisfies the condition of rs mod p-1 = 1 0 <s <p-1 is calculated (step S40).
2). At this time, since gcd (r, p−1) = 1, such s always exists.

Next, the control unit 201 takes out the authentication response information Resp from the RAM 203 and outputs the authentication inquiry information A.
ut is calculated by Aut = Resp ^s mod p = g ^{rh (si) s} mod p (step S403). At this time, since rs mod p-1 = 1 is satisfied, Aut = gh ^(si) mod p for the same reason as described in step S305. Next, the control unit 201 takes out the identification number IDi of the user i stored in the RAM 203, reads the secret key k stored in the secret key storage unit 205, and uses these as the keys to identify the identification number IDi and the authentication. Inquiry information Au
The concatenation of t and t is encrypted by the secret key encryption E as in E (k, IDi / Aut) (step S404). However, the symbol ‖ represents the connection of information. Then, the control unit 201
E (k, IDi / Aut) is transmitted by personal computer communication to the credit company b through the communication unit 206 (step S).
405).

In the credit company b, the control unit 301
E sent from the sales company a via the communication unit 306
(K, IDi / Aut) is received (step S501 in FIG. 10). Next, the control unit 301 controls the secret key storage unit 30.
The secret key k stored in step 5 is read, and E (k, IDi / Aut) is used as a key for the decryption algorithm D.
Then, the decoding is performed as D {k, E (k, IDi / | Aut)} = IDi // Aut (step S502).

Then, the control section 301 records the converted secret information {g which is recorded in combination with the decrypted identification number IDi.
^{h (si)} mod p} is searched and read from the individual data storage unit 304 (step S503). Next, the control unit 3
01 is the decrypted authentication inquiry information Aut and {gh ^(si) mod p} read from the individual data storage unit 304.
It is collated whether or not the value of is matched (step S50).
4). Next, the control unit 301 sends the result of the matching to the communication unit 30.
6 to the sales company a (step S50)
4).

In the sales company a, the control unit 201 receives the verification result transmitted from the credit company b via the communication unit 206, and if the credit company has been authenticated, orders the merchandise to the user i. If the authentication is not accepted, the user i is notified that the authentication is impossible.

When the user i receives the information transmitted from the sales company a and is instructed to order the product, the control unit 101 displays the information prompting the user to order the product on the display unit 105. After that, the user i performs a product ordering operation. On the other hand, when it is received that the authentication is not possible, the fact that the authentication cannot be performed is displayed on the display unit 105.

As described above, in the personal authentication system according to the first embodiment, the credit company b does not know the password si of the user i by the sales company a.
Can confirm whether the user i is a legitimate user i only by referring to the database. This is because the information that the sales company a can know {gh ^(si) mod p} to h (s
Obtaining i) is extremely difficult if the value of p is large even if the value of g is known (in the first embodiment, the value is about 512 bits). Note that the problem of obtaining X from Y, g, p when there is a relation of Y = g ^X mod p is called “discrete logarithm problem”. The difficulty of solving the "discrete logarithm problem" is described in detail in "Current Cryptography" by Shinichi Ikeno and Kenji Koyama (IEICE).

Since the password i of the user i is input to the authentication application apparatus 10 by the user i himself, the password si is 10
It is often a number of about 4 digits. In that case, the sales company a who knows the value of gh ^(si) mod p tries to find the value of si by applying it in all cases as the value of si,
Actually, since the function h is not given to the sales company a, it is impossible to find the value of si.

If an IC card is added to each user's authentication application device and the password of user i is managed by the IC card, the value of si does not have to be a small value of about 4 decimal digits, and function h No need to use it. However,
Even in this case, the use of the function h further increases the safety.

Even if somebody eavesdrops on the personal computer communication line exchanged between the user i and the sales company a, the value of {gh ^(si) mod p} cannot be known. This is because the information flowing through the personal computer communication line is App = g ^x mod p Cha = g ^xr mod p Resp = g ^{rh (si)} mod p, and the value of g ^{h (si)} mod p is known from Resp. Is because the value of the random number parameter r is required. To obtain the value of the random number parameter r from App and Cha,
It is impossible to realistically solve the "discrete logarithm problem".

When the identification number IDi and the authentication inquiry information Aut are sent between the sales company a and the credit company b, they are encrypted with the secret key k shared by both parties, so they can be tapped. Does not make sense.

As described above, in the first embodiment, a person other than the user i cannot know the password si of the user i, and the operation of the above embodiment can authenticate whether the user i is a legitimate one. .

In the first embodiment, the value of g is set to a value common to the personal authentication system of this embodiment.
The value of can be changed for each user. In this case, the user i decides the value of g, calculates {gh ^(si) mod p}, and informs the credit company b. In this case, since the value of g itself is secret, the security is further enhanced. Similarly, the hash function h may be changed for each user, and in this case also the security is enhanced.

In the first embodiment described above, the two-way communication among the user i, the sales company a, and the credit company b is performed by using personal computer communication.
As long as bidirectional communication such as a TV network and B-ISDN is possible, the same effect as above can be obtained even if communication is performed using them.

(2) Second Embodiment The second embodiment of the present invention is a personal authentication system using the same configuration as the personal authentication system described in the first embodiment. It can be realized with the same configuration as the first embodiment, but the execution procedure is different. The settings in the system are almost the same, but the integer value g which is a value common to the system
The value of is also given to the sales company a. Therefore, while referring to the configuration of the personal authentication system in FIG. 1 below,
The second embodiment will be described.

FIG. 11 is a sequence chart showing the operation of the whole personal authentication system of the second embodiment. FIG.
2 is the authentication relay device 2 of FIG. 1 in the second embodiment.
It is a flow chart which shows operation at the time of generation of 0 attestation question information. This operation corresponds to (2) in FIG. FIG.
3 is the authentication application device 1 of FIG. 1 in the second embodiment.
9 is a flowchart showing an operation when generating 0 response information for authentication. This operation corresponds to (4) in FIG. FIG.
4 is the authentication relay device 2 of FIG. 1 in the second embodiment.
7 is a flowchart showing an operation when generating 0 authentication inquiry information. This operation corresponds to (6) in FIG. FIG.
FIG. 5 is a flowchart showing the operation of the user authentication device 30 of FIG. 1 at the time of user authentication verification in the second embodiment. This operation corresponds to (8) in FIG. Less than,
The operation of the second embodiment will be described with reference to these FIGS. 11 to 15 while referring to the configuration described in the first embodiment.

When the user i directly applies to the credit company b for authentication, his / her identification number IDi and password si are presented to the credit company. The credit company b determines the personalized data storage unit 304 from the presented IDi.
And authenticate the user if the stored password is equal to the presented value, otherwise do not authenticate the user.

Next, the procedure when the sales company a authenticates the user i will be described. The following processes are all performed in real time. In the mail-order system via the network, when the user i purchases a product of the selling company a and pays the price with a credit card, the user i must be authenticated by the credit company before placing an order. At this time, the user i instructs the authentication application device to apply for user authentication. In response, the control unit 101 informs the sales company a via the communication unit 107 through personal computer communication that the user authentication is desired.

The sales company a generates a random number parameter r using the random number generator 204 (step S6 in FIG. 12).
01). At this time, the random number parameter r is an integer that satisfies the condition of 0 <r <p-1 gcd (r, p-1) = 1. Next, the control unit 201, the authentication inquiry information Cha by using the random number parameter r, calculated at Cha = g ^r mod p, and stores the random number parameter r in RAM 203 (step S602). Next, the control unit 201 transmits the authentication question information Cha by personal computer communication to the user i via the communication unit 206 (step S603).

For the user i, the control unit 101 has the communication unit 1
Authentication question information C received from sales company a via 07
The ha is stored in the RAM 103 (step S in FIG. 13).
701). Next, the user i inputs his / her credit member identification number IDi and password si (step S702). Next, the control unit 101 controls the random number generator 1
The random number parameter x is generated using 06 (step S703). At this time, the random number parameter x is an integer that satisfies the condition of 0 <x <p-1 gcd (x, p-1) = 1. However, gcd (α, β)
Indicates the greatest common divisor of α and β. Next, the control unit 1
01 retrieves the authentication question information Cha from the RAM 103 and, using the random number parameter x, displays the first authentication response information Resp and the second authentication response information C, Resp = Cha ^{{x + h (si)}.} The calculation is performed by mod p C = g ^x mod p (step S704). Next, the control unit 101
Transmits the identification number IDi of the user i and the first and second authentication response information Resp and C via personal computer communication to the selling company a via the communication unit 107 (step S).
705).

At the sales company a, the control unit 201 controls the identification number IDi received from the user i via the communication unit 206.
And the first and second authentication response information Resp and C are stored in the RAM 203 (step S80 in FIG. 14).
1). Next, the control unit 201 reads the random number parameter r stored in the RAM 203 and calculates an integer s (0 <s <p-1) that satisfies rs mod p-1 = 1 (step S802). At this time, since gcd (r, p−1) = 1, such s always exists. Then, the control unit 201 reads the second authentication response information C from the RAM 203.
To calculate an integer z (0 <z <p) that satisfies Cz mod p = 1 (step S
803). At this time, since 1 <g <p C = g ^x mod p and gcd (C, p) = 1, such z always exists. Then, the control unit 201 calculates w by w = z ^r mod p (step S804). At this time, z
Is considered to be z = C ⁻¹ mod p, so w is considered to be w = g ^−xr mod p.

Next, the control unit 201 controls the authentication inquiry information A.
ut is calculated by Aut = (Resp × w) ^s mod p = [gr ^{{x + h (si)}-xr} ] ^s mod p = { ^{grh (si)} } ^s mod p (step S805). At this time, since rs mod p-1 = 1 is satisfied, Aut = gh ^(si) mod p for the same reason as described in step S305 of the first embodiment. Next, the control unit 201 extracts the identification number IDi stored in the RAM 203, and the secret key storage unit 205.
The secret key k stored in is read out, and by using this as a key, the identification number IDi and the authentication inquiry information Aut are concatenated and encrypted with the secret key encryption E, such as E (k, IDi / Aut). Yes (step S806). However, the symbol ‖ represents the connection of information. Then, the control unit 201
E (k, IDi / Aut) is transmitted by personal computer communication to the credit company b through the communication unit 206 (step S).
807).

In the credit company b, the control unit 301
E sent from the sales company a via the communication unit 306
(K, IDi | Aut) is received (step S901 in FIG. 15). Next, the control unit 301 controls the secret key storage unit 30.
The secret key k stored in step 5 is read, and E (k, IDi / Aut) is used as a key for the decryption algorithm D.
Then, the decoding is performed as follows: D {k, E (k, IDi / | Aut)} = IDi // Aut (step S902).

Next, the control section 301 records the converted secret information {g which is recorded in combination with the decrypted identification number IDi.
^{h (si)} mod p} is searched and read from the individual data storage unit 304 (step S903). Then, the control unit 301 decrypts the authentication inquiry information Aut and the converted secret information {gh ^(si) read from the individual data storage unit 304.
The value of mod p} is checked to see if it matches (step S904). Next, the control unit 301 transmits the collation result to the sales company a via the communication unit 306 (step S904).

In the sales company a, the control unit 201 receives the verification result transmitted from the credit company b through the communication unit 206, and when the credit company has been authenticated, orders the merchandise to the user i. If the authentication is not accepted, the user i is notified that the authentication is impossible.

When the user i receives the information transmitted from the sales company a and is instructed to order the product, the control unit 101 displays the information prompting the user to order the product on the display unit 105. After that, the user i orders the product.
When it is received that the authentication is impossible, the display 105 displays
Display that authentication failed.

As described above, in the personal authentication system according to the second embodiment, the credit company b does not know the password si of the user i by the sales company a.
Can confirm whether the user i is a legitimate user i only by referring to the database. This is because the information that the sales company a can know {gh ^(si) mod p} to h (s
Obtaining i) is because it is extremely difficult if the value of p is large even if the value of g is known (in the second embodiment, the value is about 512 bits).

The consideration when the password si of the user i is a small number is the same as that in the first embodiment.

If an IC card is added to each user's authentication application device and the password of user i is managed by the IC card, si does not have to be a small value of about 4 decimal digits, and function h No need to use it. However,
Even in this case, the use of the function h further increases the safety.

Also, as in the case of the first embodiment, even if there is an eavesdropping on a personal computer communication line exchanged between the user i and the sales company a, {gh ^(si) mod p
} Value cannot be known. The reason is that the information flowing through the personal computer communication line is Cha = g ^r mod p Resp = g ^{r {x + h (si)}} mod p C = g ^x mod p, from Resp to {g ^{h (si)} mod p. This is because the values of the random number parameters r and x are required to know the value of p}. Obtaining the values of these random number parameters r and x from Cha and C requires solving the "discrete logarithm problem", which is practically impossible.

Further, when IDi and Aut are sent between the sales company a and the credit company b, the IDi and Aut are encrypted with the secret key k shared by both, so there is no point in eavesdropping.

Further, in the second embodiment, in order to increase the confidentiality of the transmission data, the random number parameter x is added to the first authentication response information Resp transmitted from the user i to the sales company a.
However, if it is sufficient to secure a certain degree of confidentiality, the authentication response information Resp ′ (= Cah ^(si) ) that does not include the random number parameter x is transmitted from the user i to the sales company a. You may do it. in this case,
At the sales company a, a random number parameter x is obtained from the authentication response information.
The user i does not need to send the second authentication response information C to the sales company because it does not need to be removed.

Further, in the second embodiment, the value of g is the value common to the personal authentication system, but the value of g can be changed for each user. In this case, user i
Determines the value of g and calculates {gh ^(si) mod p},
Let credit company b know. In this case, g
Since the value of is itself a secret, it is more secure. Similarly,
The hash function h may be changed for each user, and in this case also the security is enhanced.

As described above, also in the second embodiment, a person other than the user i cannot know the password si of the user i, and the operation of the above embodiment can authenticate whether the user i is a valid one. .

In the second embodiment, the two-way communication among the user i, the sales company a, and the credit company b is performed by using personal computer communication.
As long as bidirectional communication such as a TV network and B-ISDN is possible, the same effect as above can be obtained even if communication is performed using them.

(3) Third Embodiment The third embodiment of the present invention is a personal authentication system using the same configuration as the personal authentication system described in the first embodiment. The first embodiment can be realized with the same configuration, but when authenticating whether or not the user i is a legitimate user in the present system, only two parties are provided between the user i and the sales company a. The unknown shared key can be generated, and the user i and the sales company a can perform encrypted communication. The settings in the system are almost the same, but the public key of the sales company a is given to the user i and stored in the ROM 102. The public key of the selling company a is managed in a public publication such as a telephone directory or a public database, and anyone can easily obtain it. In addition, the sales company a defines a secret key s _a known only to yourself is a value different from that of the secret key k shared with the credit company b. Below, the first of the secret key to k, a s _a second
Call the private key of. k, s _a both, the secret key storage unit 20
Stored in 5. Further, the value of the integer value g which is a value common to the system is also given to the sales company a. The third embodiment will be described below with reference to the configuration of the individual authentication system in FIG.

FIG. 16 is a sequence chart showing the operation of the entire personal authentication system of the third embodiment shown in FIG. FIG. 17 is a flowchart showing the operation of the authentication application device 10 of FIG. 1 when applying for authentication. This operation is shown in FIG.
This corresponds to (1) of 6. FIG. 18 is a flowchart showing the operation of the authentication relay device 20 of FIG. 1 when generating the authentication question information. This operation corresponds to (3) in FIG. FIG. 19 is a flowchart showing the operation of the authentication application device 10 of FIG. 1 when generating authentication response information. This operation corresponds to (5) in FIG. FIG. 20 is a flowchart showing the operation of the authentication relay device 20 of FIG. 1 when generating the authentication inquiry information. This operation corresponds to (7) in FIG.
21 is a flowchart showing the operation of the user authentication device 30 of FIG. 1 at the time of user authentication collation. This operation corresponds to (9) in FIG. Hereinafter, these FIGS.
The operation of the third embodiment will be described with reference to FIG.

[0079] First, the sales company a will, his second of the secret key s _a, selected as _{0 <s a <p-1} gcd (s a, p-1) = 1 satisfies the condition integer. At this time, an integer u satisfying the condition of us _a mod p-1 = 1 0 <u <p-1 is calculated. At this _{time, gcd (s a, p-} 1) because it is = 1, such u is always present. Here, the public key P _a of the sales company a is calculated by P _a = ^gu mod p. Each user obtains the public key P _a of the sales company a that subscribes to this system by using a public database or the like.

It is assumed that the following processes are all performed in real time. In the mail-order system via the network, when the user i purchases the product of the sales company a and pays the price with a credit card, the sales company a credits whether or not the user i is an authorized user. Authenticate with the help of the company. In the present embodiment, the order content Ord that the user i informs the sales company a.
Can be encrypted and transmitted from the user i to the sales company a.

The user i creates the order content Ord to place an order with the sales company a, and the control unit 101 stores the order content Ord in the RAM 103 (step S100 in FIG. 17).
1). Then, the user i instructs the user application for authentication to the authentication application device 10 (step S1002). On the other hand, the control unit 101 of the authentication application device 10 uses the random number generator 106 to generate a random number parameter x (step S1003). At this time, the random number parameter x is an integer that satisfies the condition of 0 <x <p-1 gcd (x, p-1) = 1. Next, the control unit 101, an authentication item App by using the random number parameter x, App = calculated by _{^{P a x mod p = g ux}} mod p, stores the random number parameter x in RAM 103 (step S1004). Next, the control unit 101 informs the sales company a via the communication unit 107 by personal computer communication that the user authentication is desired and transmits the authentication application information App (step S1005).

In the sales company a, the control unit 201 stores the App received from the user i via the communication unit 206 in the RAM.
It stores in 203 (step S1101 of FIG. 18). Next, the control unit 201 reads the second secret key s _a stored in the secret key storage unit 205, the common key information C ₀ of the sales company side a ^{_{C 0 = App sa mod p =}} g uxsa mod It is calculated by p (step S1102) and stored in the RAM 203. At this time, since us _a mod p-1 = 1 is satisfied, C ₀ = g ^x mod p is obtained for the same reason as described in step S305 of the first embodiment. Next, the control unit 201 uses the random number generator 204 to generate a random number parameter r (step S110).
3). At this time, the random number parameter r is an integer that satisfies the condition of 0 <r <p-1 gcd (r, p-1) = 1. Next, the control unit 201 controls the R
C ₀ is taken out from AM 203, and this random number parameter r
Is used to calculate the authentication question information Cha by Cha = C ₀ ^r mod p = g ^xr mod p, and the random number parameter r is stored in the RAM 203 (step S1104). Next, the control unit 201 transmits the authentication question information Cha by personal computer communication to the user i via the communication unit 206 (step S1105).

For the user i, the control unit 101 uses the communication unit 1
Authentication question information C received from sales company a via 07
ha is stored in the RAM 103 (step S in FIG. 19).
1201). Next, the user i inputs his / her credit member identification number IDi and password si (step S1202). Next, the control unit 101 controls the RAM 1
The random number parameter x stored in 03 is read, and the integer y satisfying the condition of xy mod p-1 = 1 0 <y <p-1 is calculated (step S120).
3). At this time, since gcd (x, p-1) = 1, such y always exists.

Next, the control unit 101 substitutes the input password si into the hash function h to obtain the hash value h (s
i) is calculated (step S1204). Then, the control unit 101 extracts the authentication question information Cha from RAM 103, the authentication response information Resp against Cha, calculated by ^{Resp = Cha yh (si) mod} p = g xryh (si) mod p ( Step S1205) . At this time, since xy mod p-1 = 1 is satisfied, Resp = g ^{rh (si)} mod p for the same reason as described in step S305 of the first embodiment. Next, the control unit 101 reads the random number parameter x stored in the RAM 103, and calculates the shared key information C ₁ on the user i side with C ₁ = g ^x mod p (step S1206). And the control unit 10
1, reads the order contents Ord from RAM103, the identification number IDi of the order contents of Ord and the user i, a secret key encryption algorithm E to share key information C ₁ of the user i side as the key, E (C _1, IDi‖ Ord) (step S1207). And
The control unit 101 transmits E (C ₁ , IDi / | Ord) and the authentication response information Resp to the sales company a via the communication unit 107 by personal computer communication (step S120).
8).

At the sales company a, the control unit 201 receives the E (C ₁ , IDi received from the user i via the communication unit 206.
‖Ord) and the authentication response information Resp are stored in the RAM 20.
3 (step S1301 in FIG. 20). next,
The control unit 201 reads the shared key information C ₀ on the sales company a side stored in the RAM 203, and uses this as the key.
E (C ₁ , IDi / Ord) is the decoding algorithm D
Then, the decoding is performed as follows: D {C ₀ , E (C ₁ , IDi / Ord)} (step S1302). At this time,
Since C ₀ = C ₁ , D {C ₀ , E (C ₁ , IDi / Ord)} = IDi / O
rd. Next, the control unit 201 reads the random number parameter r stored in the RAM 203 and calculates an integer s that satisfies the condition of rs mod p-1 = 1 0 <s <p-1 (step S130).
3). At this time, since gcd (r, p−1) = 1, such s always exists.

Next, the control unit 201 extracts the authentication response information Resp from the RAM 203, and outputs the authentication inquiry information A.
ut is calculated by Aut = Resp ^s mod p = g ^{rh (si) s} mod p (step S1304). At this time, since rs mod p-1 = 1 is satisfied, Aut = gh ^(si) mod p for the same reason as described in step S305 of the first embodiment. Next, the control unit 201 takes out the identification number IDi of the user i stored in the RAM 203, reads the secret key k stored in the secret key storage unit 205, and uses these as the keys to identify the identification number IDi and the authentication. Inquiry information Au
The concatenation of t and t is encrypted by the secret key encryption algorithm E as in E (k, IDi / Aut) (step S1305). However,
The symbol ‖ represents the connection of information. Then, the control unit 201
Sends E (k, IDi / Aut) to the credit company b through the communication unit 206 by personal computer communication (step S1306).

In the credit company b, the control unit 301 is
E sent from the sales company a via the communication unit 306
(K, IDi | Aut) is received (step S1401 in FIG. 21). Next, the control unit 301 controls the secret key storage unit 3
The secret key k stored in 05 is read, and E (k, IDi // Aut) is used as a key in the decryption algorithm D by D {k, E (k, IDi // Aut)} = IDi // Aut As described above (step S1402).

Then, the control section 301 records the converted secret information {g stored in combination with the decrypted identification number IDi.
^{h (si)} mod p} is searched and read from the individual data storage unit 304 (step S1403). Next, the control unit 301 reads the decrypted authentication inquiry information Au and the {gh ^(si) mod read from the individual data storage unit 304.
p} is matched with the value (step S1).
404). Next, the control unit 301 transmits the collation result to the sales company a via the communication unit 306 (step S14).
04).

In the sales company a, the control unit 201 receives the verification result transmitted from the credit company b via the communication unit 206, and when the credit company has been authenticated, the order content Ord transmitted by the user i. Is accepted, and if the authentication is not accepted, the fact that the authentication is impossible is transmitted to the user i.

In the user i, the control unit 101 receives the information transmitted from the sales company a, and when the order contents are accepted, displays on the display unit 105 that the order has been received. On the other hand, if you receive that authentication is not possible,
The fact that the authentication could not be performed is displayed on the display unit 105.

As described above, in the personal authentication system according to the third embodiment, the credit company b does not know the password si of the user i by the sales company a.
Can confirm whether or not the user i is a legitimate user simply by referring to the database. This is information (g ^{h (si)} mod p} that the sales company a can know from h (si)
Even if the value of g is known, if the value of p is large (it is set to a value of about 512 bits in the third embodiment), it is extremely difficult to obtain. Further, in the third embodiment, the user i and the sales company a who do not have the shared key in advance generate the shared key based on the random number parameter x,
Using this shared key, the order details Ord and the identification number IDi
Can be encrypted and transmitted from the user i to the sales company a. Therefore, order contents Ord and identification number I
Di is never known. Note that either one of the order content Ord and the identification number IDi may be encrypted and transmitted.

The consideration when the password si of the user i is a small number is the same as in the first embodiment.

If an IC card is added to the authentication application device of each user and the password of user i is managed by the IC card, the value of si does not have to be a small value of about 4 decimal digits, and function h No need to use it. However,
Even in this case, if the hash function h is used, the security is further increased.

Further, as in the case of the first embodiment, even if there is an eavesdropping on a personal computer communication line exchanged between the user i and the sales company a, {gh ^(si) mo
It is not possible to know the value of d p}. This is because the information flowing through the personal computer communication line is: App = g ^ux mod p Cha = g ^xr mod p Resp = g ^{rh (si)} mod p, and the value of {g ^{h (si)} mod p} from Resp This is because the value of the random number parameter r is needed to know. Obtaining the value of the random number parameter r from App and Cha requires solving the "discrete logarithm problem", which is practically impossible.

When the identification number IDi and the authentication inquiry information Aut are sent between the sales company a and the credit company b, they are encrypted with the secret key k shared by both parties, so they can be tapped. Does not make sense.

As described above, in the third embodiment, a person other than the user i cannot know the password si of the user i, and the operation of the above embodiment can authenticate whether the user i is a legitimate one. Moreover, since the order content Ord and the identification number IDi of the user i are encrypted and transmitted, the third party cannot know.

In the third embodiment, the value of g is a value common to the personal authentication system of this embodiment.
The value of can be changed for each user. In this case, the user i decides the value of g, calculates {gh ^(si) mod p}, and informs the credit company b. In this case, since the value of g itself is secret, the security is further enhanced. Similarly, the hash function h may be changed for each user, and in this case also the security is enhanced.

In the third embodiment, the two-way communication among the user i, the sales company a, and the credit company b is performed by using personal computer communication.
As long as bidirectional communication such as a TV network and B-ISDN is possible, the same effect as above can be obtained even if communication is performed using them.

In the third embodiment, the encrypted communication can be performed between the user i and the sales company a while holding the shared key.
Although a modification of the first embodiment described above, the same encrypted communication can be applied to the second embodiment.
Such an embodiment will be shown below as a fourth embodiment.

(4) Fourth Embodiment A fourth embodiment of the present invention is a personal authentication system using the same configuration as the personal authentication system described in the first embodiment. That is, the same configuration as that of the first embodiment can be realized, but when authenticating whether or not the user i is a valid user, the user i and the sales company a can be authenticated as in the third embodiment. In the meantime, a shared key known only to two parties can be generated, and the user i and the sales company a can perform encrypted communication. In addition, the sales company a defines a secret key s _a known only to yourself is a value different from that of the secret key k shared with the credit company b. Hereinafter, k is called a first secret key and s _a is called a second secret key. k, s _a both,
It is stored in the private key storage unit 205. Further, the value of the integer value g which is a value common to the system is also given to the sales company a. Further, the public key P _a of the sales company _a is given to the user i and stored in the ROM 102. As described above, this public key P _a is managed in a public publication such as a telephone directory or a public database, and anyone can easily obtain it.

FIG. 22 is a sequence chart showing the operation of the entire personal authentication system of the fourth embodiment. The fourth embodiment will be described below with reference to FIG. 22 while referring to the configuration of the individual authentication system in FIG. First, selling the company a will, his second of the secret key s _a, selected as _{0 <s a <p-1} gcd (s a, p-1) = 1 satisfies the condition integer. At this time, an integer u satisfying the condition of us _a mod p-1 = 1 0 <u <p-1 is calculated. At this _{time, gcd (s a, p-} 1) because it is = 1, such u is always present. Here, the public key P _a of the sales company a is calculated by P _a = ^gu mod p. Each user obtains the public key P _a of the sales company a that subscribes to this system by using a public database or the like.

In the mail order system via the network, when the user i purchases the product of the sales company a,
When payment is made by a credit card, the user i must be authenticated by the credit company before placing an order. In the present embodiment, the order content Ord notified by the user i to the sales company a can be encrypted and transmitted from the user i to the sales company a.

First, the user i creates the order content Ord to place an order with the sales company a, and the control unit 101 controls the RAM 103.
The order content Ord is stored in. Then, the user i instructs the authentication application device 10 to apply for user authentication. In response, the control unit 101 notifies the sales company a via the communication unit 107 by personal computer communication that the user authentication is desired (FIG. 2).
Step 2 (1)).

The sales company a uses the random number generator 204 to generate a random number parameter r. At this time, the random number parameter r is an integer that satisfies the condition of 0 <r <p-1 gcd (r, p-1) = 1. Next, the control unit 201, the authentication inquiry information Cha by using the random number parameter r, calculated at Cha = g ^r mod p, and stores the random number parameter r in RAM 203 (the procedure of FIG. 22 (2)) .. Next, the control unit 201
Authentication question information Cha is transmitted to the user i by personal computer communication via the communication unit 206 (procedure (3) in FIG. 22).

For the user i, the control unit 101 uses the communication unit 1
Authentication question information C received from sales company a via 07
The ha is stored in the RAM 103. Next, user i
Using the input operation device 104, the identification number IDi of his credit member and the password si are input to the control unit 101. In response, the control unit 101 determines that the random number generator 106
Is used to generate a random parameter x. At this time, the random number parameter x is an integer that satisfies the condition of 0 <x <p-1 gcd (x, p-1) = 1. Next, the control unit 101 controls the R
The authentication question information Cha is extracted from the AM 103, and the random number parameter x is used to generate the first authentication response information Resp.
When a second authentication response information C, and the shared key information C ₁ of the user i ^{side, Resp = Cha {x + h} (si)} mod p C = P a x mod p = g ux mod p C 1 = G ^x mod p (step (4) in FIG. 22). And the control unit 1
01 reads the order details Ord from the RAM 103,
The order content Ord and the identification number IDi of the user i are encrypted with the secret key encryption algorithm E using the shared key information C ₁ on the user i side as a key, such as E (C ₁ , IDi / | Ord) (FIG. 22). Procedure (4)). And
The control unit 101 transmits E (C ₁ , IDi / | Ord), the authentication response information Resp, and the second authentication response information C to the sales company a via the communication unit 107 by personal computer communication (FIG. 22 procedure (5)).

At the sales company a, the control unit 201 receives the E (C ₁ , IDi received from the user i via the communication unit 206.
(Ord), the authentication response information Resp, and the second authentication response information C are stored in the RAM 203, and the operation of step (6) shown in FIG. 22 described below is performed.

First, the control unit 201 controls the secret key storage unit 205.
Reads the second secret key s _a that are stored in, the shared key information C ₀ of the sales company a side, calculated at ^{_{C 0 = C sa mod p =}} g x mod p (= C 1), the RAM203 Store (procedure (6) in FIG. 22). Next, the control unit 201 uses the shared key information C ₀ on the sales company a side obtained by the calculation as a key, and E (C ₁ , I
Di | Ord) is decoded by the decoding algorithm D as follows: D {C ₀ , E (C ₁ , IDi / Ord)}. At this time, since C ₀ = C ₁ , D {C ₀ , E (C ₁ , IDi // Ord)} = IDi // O
rd.

Next, the control unit 201 reads the random number parameter r stored in the RAM 203 and calculates an integer s (0 <s <p-1) satisfying rs mod p-1 = 1. At this time, since gcd (r, p−1) = 1, such s always exists. Then, the control unit 201 reads the shared key C _O from the RAM 203 and calculates an integer z (0 <z <p) that satisfies C _O z mod p = 1. At this time, since 1 <g <p C _O = g ^x mod p and gcd (C _O , p) = 1, such z always exists. Then, the control unit 201 also calculates w by w = z ^r mod p. At this time, since z is considered to be z = C ₀ ^-1 mod p, w is considered to be w = g ^-xr mod p.

Next, the control unit 201 determines that the authentication inquiry information A
ut is calculated by Aut = (Resp × w) ^s mod p = [gr ^{{x + h (si)}-xr} ] ^s mod p = { ^{grh (si)} } ^s mod p. At this time, since rs mod p-1 = 1 is satisfied, Aut = gh ^(si) mod p for the same reason as described in step S305 of the first embodiment.

Next, the control unit 201 takes out the identification number IDi stored in the RAM 203, and the secret key storage unit 2
The secret key k stored in 05 is read out, and using this as a key, the identification number IDi and the authentication inquiry information Aut are concatenated, and the secret key encryption algorithm E is used as E (k, IDi / Aut). Encrypt. Then, the control unit 201 performs personal computer communication with the credit company b via the communication unit 206, and
(K, IDi / Aut) is transmitted (procedure (7) in FIG. 22).

In the credit company b, the control unit 301
E sent from the sales company a via the communication unit 306
Upon receiving (k, IDi‖Aut), the private key storage unit 3
The private key k stored in 05 is read, and this is used as a key to perform a decryption algorithm D to decrypt as D {k, E (k, IDi // Aut)} = IDi // Aut (procedure (8 in FIG. 22. )).

Then, the control section 301 records the converted secret information {g which is recorded in combination with the decrypted identification number IDi.
^{h (si)} mod p} is searched and read from the individual data storage unit 304. Next, the control unit 301 checks whether or not the decrypted authentication inquiry information Aut and the value of the conversion secret information {gh ^(si) mod p} read from the individual data storage unit 304 match. Next, the control unit 301 transmits the verification result to the sales company a via the communication unit 306 (procedure (9) in FIG. 22).

In the sales company a, the control unit 201 receives the verification result transmitted from the credit company b via the communication unit 206, and if the credit company has been authenticated, the order details Ord transmitted by the user i. Is accepted, and if the authentication is not received, the fact that the authentication is impossible is transmitted to the user i ((10) in FIG. 22).

For the user i, the control unit 101 receives the information transmitted from the sales company a, and when the order contents are accepted, displays on the display unit 105 that the order has been received. On the other hand, if you receive that authentication is not possible,
The fact that the authentication could not be performed is displayed on the display unit 105.

In the fourth embodiment described above, similarly to the second embodiment described above, the credit company b does not know the password si of the user i by the sales company a, and You can check whether or not it is just by referring to the database. In the fourth embodiment, the user i and the sales company a who do not have a shared key in advance generate a shared key based on the random number parameter x, and use this shared key to obtain the order details Ord and the identification number IDi. User i
Can be encrypted and transmitted to the sales company a. Therefore, the order details Ord and the identification number IDi are not known to others. The order details Ord and the identification number I
Either one of Di may be encrypted and transmitted.

The consideration when the password si of the user i is a small number is the same as in the first embodiment.

If an IC card is added to each user's authentication application device and the password of user i is managed by the IC card, si does not have to be a small value of about 4 decimal digits, and function h No need to use it. However,
Even in this case, if the hash function h is used, the security is further increased.

Also, as in the case of the first embodiment, even if there is an eavesdropping on a personal computer communication line exchanged between the user i and the sales company a, {gh ^(si) mo
It is not possible to know the value of d p}. The reason is that the information flowing through the personal computer communication line is Cha = g ^r mod p Resp = g ^{r {x + h (si)}} mod p C = g ^ux mod p, and Resp to {g ^{h (si)} mod p This is because the values of the random number parameters r and x are required to know the value of p}. Obtaining the values of these random number parameters r and x from Cha and C requires solving the "discrete logarithm problem", which is practically impossible.

When the identification number IDi and the authentication inquiry information Aut are sent between the sales company a and the credit company b, they are encrypted with the secret key k shared by both parties, so they can be tapped. Does not make sense.

As described above, in the fourth embodiment, a person other than the user i cannot know the password si of the user i, and the operation of the above embodiment can authenticate whether the user i is a legitimate one. Moreover, since the order content Ord and the identification number IDi of the user i are encrypted and transmitted, the third party cannot know.

In the fourth embodiment, the value of g is a value common to the personal authentication system of this embodiment.
The value of can be changed for each user. In this case, the user i decides the value of g, calculates {gh ^(si) mod p}, and informs the credit company b. In this case, since the value of g itself is secret, the security is further enhanced. Similarly, the hash function h may be changed for each user, and in this case also the security is enhanced.

In the fourth embodiment, the two-way communication among the user i, the sales company a, and the credit company b is performed by using personal computer communication.
As long as bidirectional communication such as a TV network and B-ISDN is possible, the same effect as above can be obtained even if communication is performed using them.

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration of a personal authentication system according to a first exemplary embodiment of the present invention.

2 is a block diagram showing an example of a configuration of an authentication application device 10 provided for a user i shown in FIG.

FIG. 3 is a block diagram showing an example of a configuration of an authentication relay device 20 provided in the sales company a shown in FIG.

4 is a block diagram showing an example of a configuration of a user authentication device 30 provided in the credit company b shown in FIG.

FIG. 5 is a sequence chart showing the operation of the entire personal authentication system of the first exemplary embodiment.

FIG. 6 is a flowchart showing an operation of the authentication application device 10 according to the first exemplary embodiment when applying for authentication.

FIG. 7 is a flowchart showing an operation of the authentication relay device 20 according to the first embodiment when generating authentication question information.

FIG. 8 is a flowchart showing an operation of the authentication application device 10 according to the first exemplary embodiment when generating authentication response information.

FIG. 9 is a flowchart showing an operation of the authentication relay device 20 according to the first embodiment when generating authentication inquiry information.

FIG. 10 is a flowchart showing an operation of the user authentication device 30 of the first exemplary embodiment at the time of user authentication verification.

FIG. 11 is a sequence chart showing the operation of the entire personal authentication system of the second exemplary embodiment.

FIG. 12 is a flowchart showing an operation of the authentication relay device 20 according to the second embodiment when generating authentication question information.

FIG. 13 is a flowchart showing an operation of the authentication application device 10 according to the second exemplary embodiment when generating authentication response information.

FIG. 14 is a flowchart showing an operation of the authentication relay device 20 according to the second embodiment when generating authentication inquiry information.

FIG. 15 is a flowchart showing an operation of the user authentication device 30 of the second exemplary embodiment at the time of user authentication verification.

FIG. 16 is a sequence chart showing the operation of the entire personal authentication system of the third exemplary embodiment.

FIG. 17 is a flowchart showing an operation of the authentication application device 10 according to the third exemplary embodiment when applying for authentication.

FIG. 18 is a flowchart showing an operation of the authentication relay device 20 according to the third embodiment when generating authentication question information.

FIG. 19 is a flowchart showing an operation of the authentication application device 10 according to the third exemplary embodiment when generating authentication response information.

FIG. 20 is a flowchart showing an operation of the authentication relay device 20 according to the third embodiment when generating authentication inquiry information.

FIG. 21 is a flowchart showing an operation of the user authentication device 30 of the third exemplary embodiment at the time of collating user authentication.

FIG. 22 is a sequence chart showing the operation of the entire personal authentication system of the fourth exemplary embodiment.

FIG. 23 is a sequence chart showing the overall operation of the second conventional example.

FIG. 24 is a sequence chart showing the overall operation of the fourth conventional example.

FIG. 25 is a sequence chart showing the overall operation of the fifth conventional example.

[Explanation of symbols]

 i ... User 10 ... Authentication application device a ... Sales company 20 ... Authentication relay device b ... Credit company 30 ... User authentication device 101, 201, 301 ... Control unit 102, 202, 302 ... ROM 103, 203, 303 ... RAM 104 ... Input operation device 105 ... Display device 106, 204 ... Random number generator 107, 206, 306 ... Communication unit 205, 305 ... Private key storage unit 304 ... Individual data storage unit

Claims (42)

[Claims] 1. A method of collaboratively authenticating information on a person to be authenticated, which is sent from the certificate authority, by the first and second certificate authorities, wherein the first certificate authority A set of the identification information of the authenticator and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information is stored in the database in advance, and the authenticated station When the person to be authenticated desires authentication,
A first variable parameter is generated, and a second one-way conversion is applied to the first variable parameter, thereby generating authentication application information dependent on the first variable parameter and generating the second application. When the second certification authority receives the certification application information, the second certification authority generates a second variable parameter, and generates a second variable parameter and a third variable with respect to the second variable parameter and the received certification application information. By performing unidirectional conversion, authentication question information dependent on the first and second variable parameters is generated and transmitted to the authenticated station, and the authenticated station receives the authentication question information, By performing a fourth one-way conversion on the first variable parameter and the secret information unique to the person to be authenticated who is to be authenticated, authentication response information that does not depend on the first variable parameter is generated, Approved Together with the identification information of the person, the second certificate authority performs a fifth one-way conversion on the received authentication response information and the second variable parameter. By doing so, the inquiry information for authentication that does not depend on the second variable parameter is generated, and is transmitted to the first certificate authority together with the received identification information of the person to be authenticated, and the first certificate authority receives the information. The converted secret information corresponding to the identification information is searched from the database, and it is checked whether the searched converted secret information matches the received inquiry reference information for authentication. If it does not match that the user is a person to be authenticated, it sends approval / denial information indicating that the person to be authenticated is not authenticated as an authorized person to the second certificate authority, and the second certificate authority is , Depending on the authorization information received An individual authentication method characterized by authenticating a person to be authenticated. 2. The personal authentication method according to claim 1, wherein the first and second variable parameters are random number parameters. 3. The secret information corresponding to the identification information of the authenticated person is a positive integer si, p is a prime number, and g is an inequality 1.
The personal authentication method according to claim 1 or 2, wherein, when an integer value that satisfies <g <p is set, the conversion secret information is a remainder value when g ^si is divided by a prime number p. 4. The secret information corresponding to the identification information of the person to be authenticated is a positive integer si, p is a prime number, and g is an inequality 1.
When the integer secret value satisfying <g <p is used and h is a hash function, the conversion secret information is a remainder value when ^{gh (si)} is divided by a prime number p. Or the personal authentication method described in 2. 5. The first variable parameter x is an integer value that satisfies 0 <x <p-1 gcd (x, p-1) = 1 (where gcd (α, β) is α and β. The second variable parameter r is an integer value that satisfies 0 <r <p-1 gcd (r, p-1) = 1, and y is xy mod p-1 = 1. The integer value (0 <y <p-1) that satisfies
mod β represents a remainder value when α is divided by β), and s is an integer value (0 <s <p-1) that satisfies rs mod p-1 = 1, Information App, the authentication question information Cha,
The authentication response information Resp, the authentication inquiry information Au
t is App = g ^x mod p Cha = App ^r mod p = g ^xr mod p Resp = Cha ^{yh (si)} mod p = g ^{rh (si)} mod
p Aut = Resp ^s mod p = g ^{h (si)} = g ^{h (si)}
The personal authentication method according to claim 4, wherein the personal authentication method is obtained by mod p. 6. The personal authentication method according to claim 3, wherein the integer value g is changed for each person to be authenticated. 7. The personal authentication method according to claim 4, wherein the hash function h is changed for each person to be authenticated. 8. A method of collaboratively authenticating information about a person to be authenticated, which is sent from a certificate authority, by the first and second certificate authorities, wherein the first certificate authority is A pair of the identification information of the authenticator and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information is stored in the database in advance, The certificate authority generates a first variable parameter when there is an application for authentication from the certificated station, and performs a second one-way conversion on the first variable parameter to obtain the first variable parameter. Sending the authentication question information dependent on the variable parameter to the authenticated station, the authenticated station, when receiving the authentication question information,
A secret is generated by generating a second variable parameter, and performing a third one-way conversion on the second variable parameter, the authentication question information, and the secret information unique to the authenticated person to be authenticated. Information, generating first authentication response information that depends on the first and second variable parameters, and second authentication response information that depends on the second variable parameter,
The identification information of the person to be authenticated is transmitted to a second certification authority, and the second certification authority responds to the first variable parameter and the received first and second authentication response information. By performing a fourth one-way conversion, generating authentication inquiry information that does not depend on the first and second variable parameters,
Along with the received identification information of the authenticated person, it is transmitted to the first certificate authority, the first certificate authority searches the database for the conversion secret information corresponding to the received identification information of the authenticated person, It is checked whether or not the converted converted secret information matches the received authentication inquiry information. If they match, it means that the person to be authenticated is a legitimate person to be authenticated. A personal authentication method, characterized in that authentication information indicating that the user is not authenticated is transmitted to a second certificate authority, and the second certificate authority authenticates the person to be authenticated by the received authentication information. 9. The personal authentication method according to claim 8, wherein the first and second variable parameters are random number parameters. 10. When the secret information corresponding to the identification information of the authentication subject is a positive integer si, p is a prime number, and g is an integer value satisfying the inequality 1 <g <p, the converted secret information is , G ^si is a residue value when the prime number p is divided, the personal authentication method according to claim 8 or 9. 11. When the secret information corresponding to the identification information of the authenticated person is a positive integer si, p is a prime number, g is an integer value satisfying the inequality 1 <g <p, and h is a hash function. 10. The personal authentication method according to claim 8, wherein the converted secret information is a remainder value when ^{gh (si)} is divided by a prime number p. 12. The first variable parameter r is an integer value that satisfies 0 <r <p-1 gcd (r, p-1) = 1 (where gcd (α, β) is α and β. The second variable parameter x is an integer value that satisfies 0 <x <p-1 gcd (x, p-1) = 1, and the second authentication response information C is , C = g ^x mod p (where α mod β represents a remainder value when α is divided by β), and z is an integer value that satisfies Cz mod p = 1 (0 <Z <p), w is a value obtained by w = z ^r mod p = g ^−xr mod p, and s is an integer value satisfying rs mod p−1 = 1 (0 <s <p−1 ), The authentication question information Cha, the first authentication response information Resp, and the authentication inquiry information Aut are Respectively ^{Cha = g r mod p Resp =} Cha x + h (si) mod p = g r {x + h (si)}
mod p Aut = (Resp × w) ^s mod p = gh ^(si)
The personal authentication method according to claim 11, wherein the personal authentication method is obtained by mod p. 13. The personal authentication method according to claim 10, wherein the integer value g is changed for each person to be authenticated. 14. The personal authentication method according to claim 11, wherein the hash function h is changed for each person to be authenticated. 15. A method of collaboratively authenticating information about a person to be authenticated, which is sent from a certificate authority, by the first and second certificate authorities, wherein the first certificate authority is A pair of the identification information of the authenticator and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information is stored in the database in advance, The certificate authority generates a variable parameter when there is an application for authentication from the certificated party, and performs a second one-way conversion on the variable parameter, thereby making the authentication question information dependent on the variable parameter. And transmits to the authenticated station, the authenticated station receives the authentication question information and the confidential information specific to the authenticated person to be authenticated,
The authentication response information is generated by performing the one-way conversion, and is transmitted to the second certificate authority together with the identification information of the person to be authenticated, and the second certificate authority receives the variable parameter and the received information. A fourth one-way conversion is performed on the authentication response information to generate authentication inquiry information that does not depend on a variable parameter, and is sent to the first certificate authority together with the received identification information of the authenticated person. And the first certificate authority searches the database for the conversion secret information corresponding to the received identification information of the authenticated person, and the searched conversion secret information matches the received inquiry reference information for authentication. Whether or not the above-mentioned authenticated person is an authentic authenticated person is checked, and when they are not matched, authentication information indicating that the authenticated person is not an authentic authenticated person is transmitted to the second certificate authority. The second certificate authority And wherein the authenticating the person to be authenticated by the received the approval or disapproval information, personal authentication method. 16. The personal authentication method according to claim 15, wherein the variable parameter is a random number parameter. 17. When the secret information corresponding to the identification information of the authenticated person is a positive integer si, p is a prime number, and g is an integer value that satisfies the inequality 1 <g <p, the converted secret information is , G ^si is a remainder value when the prime number p is divided, the personal authentication method according to claim 15 or 16. 18. When the secret information corresponding to the identification information of the authenticated person is a positive integer si, p is a prime number, g is an integer value satisfying the inequality 1 <g <p, and h is a hash function. The conversion secret information is a residue value when ^{gh (si)} is divided by a prime number p.
The personal authentication method described in 6. 19. The personal authentication method according to claim 17, wherein the integer value g is changed for each person to be authenticated. 20. The personal authentication method according to claim 18, wherein the hash function h is changed for each person to be authenticated. 21. A method of collaboratively authenticating information about a person to be authenticated, which is sent from a certificate authority, by the first and second certificate authorities, wherein the first certificate authority is A set of the identification information of the authenticator and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information is stored in the database in advance, and the authenticated station When the person to be authenticated desires authentication,
By generating a first variable parameter and subjecting the first variable parameter and public information about the second certificate authority to a second one-way conversion, the first variable parameter and the public information When the authentication application information is received and the authentication application information is received, the authentication application information and the secret information peculiar to the own station are generated. By performing the third one-way conversion on the other hand, the first shared key information not depending on the public information is generated, the second variable parameter is generated, and the second variable parameter and the first variable parameter are generated. By performing a fourth one-way conversion on the shared key information, authentication question information that depends on the first and second variable parameters is generated and transmitted to the authenticated station, and the authenticated station , The authentication question information received A fifth one-way conversion is performed on the first variable parameter and the secret information unique to the person to be authenticated to generate authentication response information that does not depend on the first variable parameter, Sixth with respect to the first variable parameter
The second shared key information is generated by performing the one-way conversion, and the identification information of the person to be authenticated is encrypted with the second shared key information, and the second authentication is performed together with the authentication response information. And the second certification authority decrypts the identification information of the person to be authenticated encrypted with the received second shared key information with the first shared key information, and receives the received authentication information. By performing a seventh one-way conversion on the response information and the second variable parameter, authentication inquiry information that does not depend on the second variable parameter is generated, and the authentication target information that decrypts the authentication inquiry information is generated. The identification information of the authenticator is transmitted to the first certificate authority, the first certificate authority searches the database for the conversion secret information corresponding to the received identification information, and the retrieved conversion secret information is Does it match the received authentication inquiry information? If there is a match, it is confirmed that the person to be authenticated is a legitimate person to be authenticated. A personal authentication method, wherein the second authentication station authenticates the person to be authenticated by the received approval / disapproval information. 22. The personal authentication method according to claim 21, wherein the first and second variable parameters are random number parameters. 23. When the secret information corresponding to the identification information of the person to be authenticated is a positive integer si, p is a prime number, and g is an integer value satisfying the inequality 1 <g <p, the converted secret information is , G ^si is a remainder value when the prime number p is divided by the p, the personal authentication method according to claim 21 or 22. 24. When the secret information corresponding to the identification information of the authentication subject is a positive integer si, p is a prime number, g is an integer value satisfying the inequality 1 <g <p, and h is a hash function. 23. The conversion secret information is a residue value when ^{gh (si)} is divided by a prime number p.
The personal authentication method described in. 25. The first variable parameter x is an integer value that satisfies 0 <x <p-1 gcd (x, p-1) = 1 (where gcd (α, β) is α or β. The second variable parameter r is an integer value that satisfies 0 <r <p-1 gcd (r, p-1) = 1, and y is xy mod p-1 = 1. The integer value (0 <y <p-1) that satisfies
mod β represents a remainder value when α is divided by β), s is an integer value (0 <s <p-1) that satisfies rs mod p-1 = 1, and the second authentication is performed. the unique secret information s _a to _{station, 0 <s a <p-} 1 gcd (s a, p-1) is an integer satisfying = 1, the u, integer satisfying _{us a mod p-1 = 1} ( 0 <u <p-1), and when the public information P _a about the second certificate authority is a value represented by P _a = ^gu mod p, the authentication application information App, the first Shared key information C ₀ ,
The authentication question information Cha and the authentication response information Res
p, the second shared key information C ₁ , the authentication inquiry information A
ut, respectively ^{_{App = P a x mod p =}} g ux mod p C 0 = App sa mod p = g x mod p Cha = C 0 r mod p = g xr mod p Resp = Cha yh (si) mod p = g ^{rh (si)} mod
The personal authentication method according to claim 24, wherein p C ₁ = g ^x mod p Aut = Resp ^s mod p = g ^{h (si)} mod p. 26. The personal authentication method according to claim 23, wherein the integer value g is changed for each person to be authenticated. 27. The personal authentication method according to claim 24, wherein the hash function h is changed for each person to be authenticated. 28. The authenticated station encrypts predetermined information in addition to the identification information of the authenticated person with second shared key information, and sends it to the second authenticated station together with the authentication response information. The personal authentication method according to claim 21, which is transmitted. 29. The personal authentication method according to claim 28, wherein the predetermined information is ordering information of a product. 30. A method of collaboratively authenticating information about a person to be authenticated, which is sent from a certificate authority, by the first and second certificate authorities, wherein the first certificate authority A set of the identification information of the authenticator and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information is stored in the database in advance, and the authenticated station When the person to be authenticated desires authentication,
By generating a first variable parameter and subjecting the first variable parameter and public information about the second certificate authority to a second one-way conversion, the first variable parameter and the public information When the authentication application information is received and the authentication application information is received, the authentication application information and the secret information peculiar to the own station are generated. By performing the third one-way conversion on the other hand, the first shared key information not depending on the public information is generated, the second variable parameter is generated, and the second variable parameter and the first variable parameter are generated. By performing a fourth one-way conversion on the shared key information, authentication question information that depends on the first and second variable parameters is generated and transmitted to the authenticated station, and the authenticated station , The authentication question information received A fifth one-way conversion is performed on the first variable parameter and the secret information unique to the person to be authenticated to generate authentication response information that does not depend on the first variable parameter, Sixth with respect to the first variable parameter
The second shared key information is generated by performing the one-way conversion, the predetermined information is encrypted with the second shared key information, and the authentication response information and the identification information of the person to be authenticated are provided together with the second shared key information. To the second certificate authority, and the second certificate authority decrypts the predetermined information encrypted with the received second shared key information with the first shared key information, and receives the received authentication information. A seventh one-way conversion is performed on the response information and the second variable parameter to generate authentication inquiry information that does not depend on the second variable parameter, and the authentication target information that has received the authentication inquiry information is generated. The identification information of the authenticator is transmitted to the first certificate authority, the first certificate authority searches the database for the conversion secret information corresponding to the received identification information, and the retrieved conversion secret information is Matches the authentication reference information received Check whether or not, if it matches, the authenticated person is a regular authenticated person, if it does not match, the authentication information indicating that the authenticated person is not authenticated as a regular authenticated person, A personal authentication method, characterized by transmitting to a second certificate authority, wherein the second certificate authority authenticates the person to be authenticated by the received approval / disapproval information. 31. The authenticated station encrypts ordering information of a product as the predetermined information with the second shared key information, and sends the authentication response information and the identification information of the authenticated person together with the first shared information. The personal authentication method according to claim 30, wherein the personal authentication method is transmitted to the second certification authority. 32. A method in which first and second certification authorities cooperate to certify information on a certification subject sent from the certification authority, wherein the first certification authority is configured to A pair of the identification information of the authenticator and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information is stored in the database in advance, The certificate authority generates a first variable parameter when there is an application for authentication from the certificated station, and performs a second one-way conversion on the first variable parameter to obtain the first variable parameter. Sending the authentication question information dependent on the variable parameter to the authenticated station, the authenticated station, when receiving the authentication question information,
A secret is generated by generating a second variable parameter, and performing a third one-way conversion on the second variable parameter, the authentication question information, and the secret information unique to the authenticated person to be authenticated. A first authentication response information that depends on the information, the first and second variable parameters, and a fourth one-way conversion for the public information about the second variable parameter and the second certificate authority. By applying the second variable parameter and the second information dependent on the public information.
Authentication response information is generated, and fifth shared key information is generated by performing a fifth one-way conversion on the second variable parameter, and the identification information of the person to be authenticated is converted into the first shared key information. It is encrypted with shared key information and transmitted to the second certificate authority together with the first and second response information for authentication, and the second certificate authority receives the received second response information for authentication and A second shared key information that does not depend on the public information is generated by performing a sixth one-way conversion on the secret information unique to the station, and is encrypted by the received first shared key information. The identification information of the authenticated person is decrypted with the second shared key information, and the second shared key information, the first variable parameter, and the received first authentication response information Authentication that does not depend on the first and second variable parameters by performing the one-way conversion Generate inquiry information for authentication, and the identification information of the authenticated person who decrypts the authentication inquiry information,
Transmitting to the first certificate authority, the first certificate authority searches the database for the conversion secret information corresponding to the received identification information of the authentication subject, and the searched conversion secret information is received Check whether or not it matches the authentication inquiry information, and if it matches, the authenticated person is a regular authenticated person, and if it does not match, the authentication information indicating that the authenticated person is not a regular authenticated person, A personal authentication method, characterized by transmitting to a second certificate authority, wherein the second certificate authority authenticates the person to be authenticated by the received approval / disapproval information. 33. The personal authentication method according to claim 32, wherein the first and second variable parameters are random number parameters. 34. When the secret information corresponding to the identification information of the person to be authenticated is a positive integer si, p is a prime number, and g is an integer value that satisfies the inequality 1 <g <p, the converted secret information is , G ^si is a remainder value when the prime number p is divided, the personal authentication method according to claim 32 or 33. 35. When the secret information corresponding to the identification information of the authentication subject is a positive integer si, p is a prime number, g is an integer value satisfying the inequality 1 <g <p, and h is a hash function. The conversion secret information is a residue value when ^{gh (si)} is divided by a prime number p.
The personal authentication method described in 3. 36. The first variable parameter r is an integer value that satisfies 0 <r <p-1 gcd (r, p-1) = 1 (where gcd (α, β) is α or β. The second variable parameter x is an integer value that satisfies 0 <x <p-1 gcd (x, p-1) = 1, and a secret unique to the second certificate authority. information _{s a, 0 <s a <} p-1 gcd (s a, p-1) is an integer value that satisfies = 1, the u, integer satisfying _{us a mod p-1 = 1} (0 <u < p-1), and the public information P _a about the second certificate authority is a value represented by P _a = g ^u mod p (where α mod β is a remainder value when α is divided by β). The second authentication response information C is a value calculated by C = Pa ^x mod p = g ^ux mod p, and the first The Yukagi information C _1, the value calculated by C ₁ = g ^x mod p, the second shared key information C _0, the value calculated by ^{_{C 0 = C sa mod p =}} g x mod p , Z is a value calculated by z = C ₀ ⁻¹ mod p, w is a value calculated by w = z ^r mod p = g ^−xr mod p, and s is rs mod p−1 = When the integer value satisfying 1 is satisfied (0 <s <p−1), the authentication question information Cha, the first authentication response information Resp, and the authentication inquiry information Aut are respectively Cha = g ^r mod p. Resp = Cha ^{x + h (si)} mod p = g ^{r {x + h (si)}}
mod p Aut = (Resp × w) ^s mod p = gh ^(si) m
The personal authentication method according to claim 35, wherein the personal authentication method is obtained by odd p. 37. The personal authentication method according to claim 34, wherein the integer value g is changed for each person to be authenticated. 38. The personal authentication method according to claim 35, wherein the hash function h is changed for each person to be authenticated. 39. The authenticated station encrypts predetermined information in addition to the identification information of the authenticated person with first shared key information, and sends it to the second authenticated station together with the authentication response information. The personal authentication method according to claim 32, wherein the personal authentication method is performed. 40. The personal authentication method according to claim 39, wherein the predetermined information is ordering information of a product. 41. A method in which first and second certification authorities cooperate to certify information on a certification subject sent from a certification authority, wherein the first certification authority is configured to A pair of the identification information of the authenticator and the converted secret information that is the result of the first one-way conversion of the secret information corresponding to the identification information is stored in the database in advance, The certificate authority generates a first variable parameter when there is an application for authentication from the certificated station, and performs a second one-way conversion on the first variable parameter to obtain the first variable parameter. Sending the authentication question information dependent on the variable parameter to the authenticated station, the authenticated station, when receiving the authentication question information,
A secret is generated by generating a second variable parameter, and performing a third one-way conversion on the second variable parameter, the authentication question information, and the secret information unique to the authenticated person to be authenticated. A first authentication response information that depends on the information, the first and second variable parameters, and a fourth one-way conversion for the public information about the second variable parameter and the second certificate authority. By applying the second variable parameter and the second information dependent on the public information.
Authentication response information is generated, and fifth shared key information is generated by subjecting the second variable parameter to fifth unidirectional conversion. Predetermined information is generated as the first shared key information. And sends it to the second certificate authority together with the response information for the first and second authentication and the identification information of the person to be authenticated, and the second certificate authority receives the second certificate for authentication. By performing a sixth one-way conversion on the response information and the secret information unique to the own station, second shared key information that does not depend on the public information is generated, and the received first shared key information. The predetermined information encrypted in step S1 is decrypted with the second shared key information, and the second shared key information, the first variable parameter, and the received first authentication response information Depends on the first and second variable parameters by applying a one-way conversion of No authentication reference information is generated, and the identification information of the authenticatee who received the authentication reference information is received together with the first information.
And the first certificate authority searches the database for the conversion secret information corresponding to the received identification information of the authenticated person, and the authentication inquiry received by the searched conversion secret information. It is checked whether or not the information matches, and if the two match, the authentication information indicating that the person to be authenticated is a legitimate person is authenticated. A personal authentication method, characterized by transmitting to a certification authority, wherein the second certification authority authenticates the person to be certified by the received approval / disapproval information. 42. The authenticated station encrypts order information of a product as the predetermined information with the first shared key information, and outputs the first and second authentication response information and the authenticated person. The personal authentication method according to claim 41, wherein the personal authentication method is transmitted to the second certificate authority together with identification information.